Application Layer Filtering (ALF): What is it and How does it Fit into your Security Plan?
In this article, we'll provide an overview of ALF technology, take a look at some ways in which it's implemented in today's security products, and help you understand the benefits - and the limitations - of this component of a fully functional multi-layer filtering solution.
What Layer(s) Are You Filtering?
In its most rudimentary form, a firewall is designed to keep specified types of traffic from passing from the external network (typically the Internet) to the internal network. This allows administrators to control what enters the local network and keep undesirable data out. In addition to filtering this inbound traffic, a firewall can also keep specified types of traffic from passing from the internal network to the external (outbound traffic), thus preventing internal users from sending various types of data, or sending data to particular destinations.
The traditional firewall uses packet filtering, which works at the network layer of the OSI networking model. Modern firewalls use an improved version called stateful packet filtering. This technology works at the network and transport layers. Thus such packet filters make it possible for you to allow or deny traffic based on source or destination IP address and other header information such as source and destination TCP and UDP port numbers, as well as the connection state. Dynamic packet filtering makes it possible to open and close ports on the firewall as needed, in comparison to static packet filtering, in which ports must be manually opened and closed.
Packet filtering lets you set several different criteria by which a data packet can be allowed or rejected:
- You can block or allow traffic sent from a particular source IP address
- You can block or allow traffic sent to a particular destination IP address
- You can block traffic that uses a particular TCP or UDP port
Because different applications use "well known" ports for their communications, you can use packet filtering to block, for example, FTP communications (by blocking port 20) or Telnet (by blocking port 23) or SMTP (by blocking port 25).
Another level of filtering is done by circuit level gateways. Circuit filtering examines information exchanged during the TCP handshake to evaluate its legitimacy.
What you can't do with packet filtering or circuit filtering is examine the actual contents of the data and block messages based on those contents. For that, you need to filter at the application layer. In other words, you need ALF.
What ALF Does
Application layer filtering goes beyond packet filtering and allows you to be much more granular in your control of what enters or exits the network. While packet filtering can be used to completely disallow a particular type of traffic (for example, FTP), it cannot "pick and choose" between different FTP messages and determine the legitimacy of a particular FTP message.
ALF, a more "intelligent" technology, can do just that. It can be used to look for abnormal information in the headers of a message and even within the data itself, and it can be set to look for specific character strings (words or phrases) within the message body and block messages based on that information. Thus, you can use ALF to prevent network attacks, or even to prevent internal users from sending particular sensitive information outside the network.
Advantages of ALF
Let's look at how that plays out in practice. We'll use spam prevention as an example. Your firewall can be a first line of defense against spam (in conjunction with a good server-based spam filtering program and/or client-side anti-spam utilities). With a traditional packet filtering firewall, you need to know the source addresses of all spammers, or block all messages using the e-mail protocol that the spammers use. Neither of these solutions is very practical.
With ALF, you can actually block messages at the firewall level according to keywords (character strings), making your firewall a much more powerful component in your spam control strategy. By performing the preliminary filtering at the firewall level, you can take some of the processing load off the server on which your primary spam filtering software is installed (the mail server or a separate server).
NOTE: When you use ALF to block keywords, be very judicious to avoid false positives (messages blocked as spam that are not really spam). You might wish to do most keyword filtering at the server or client level, where sophisticated anti-spam software will let you set up white lists of senders whose messages should always be allowed through even if they contain "spam" keywords. Keyword filtering at the firewall should be limited to those words/strings that never appear in legitimate messages.
What else can you do with ALF? Most importantly, by examining the content of data an application layer filtering firewall can prevent attacks that rely on the application layer protocols, including:
- SMTP, POP3 and DNS buffer overflows
- Web server attacks based on information in HTTP headers and requests
- Attack code hidden within SSL tunnels
ALF can examine specific commands within the application layer protocols. For example, the HTTP:GET command could be blocked, while the HTTP:POST command is allowed.
Application layer filtering, used in conjunction with filtering at the lower layers, provides for the highest possible level of security.
Disadvantages of ALF
The primary disadvantage of application layer filtering is its effect on performance. Examining the contents of packets requires time and thus slows down processing. ALF requires more powerful hardware resources than a traditional packet filtering firewall.
Another undeniable disadvantage is administrative overhead. Because ALF adds complexity, there is a potential for misconfiguration leading to access problems. As with any security solution, if it is improperly implemented ALF can block communications that you never intended to block.
Where Do You Get ALF?
More and more firewall and VPN product vendors are incorporating ALF into their products. These integrated products are often referred to as stateful multilayer inspection firewalls. They include the major firewall solutions such as CheckPoint, Cisco and Microsoft's Internet Security and Acceleration (ISA) Server. ISA Server, in particular, offers a reasonably priced full featured ALF solution for today's businesses. For a detailed description of how ALF works in ISA Server 2000, see the ISA Server 2000 Application Layer Filtering Kit at http://www.isaserver.org/articles/spamalfkit.html.